CVE-2023-39154: 
Java vulnerability analysis and mitigation

The vulnerability (CVE-2023-39154) affects the Jenkins Qualys Web App Scanning Connector Plugin versions 2.0.10 and earlier. The vulnerability was discovered by Yaroslav Afenkin from CloudBees, Inc. and was disclosed on July 26, 2023. This security issue impacts the permission checking mechanism in several HTTP endpoints of the plugin (Jenkins Advisory, OSS Security).

The vulnerability stems from incorrect permission checks implementation in several HTTP endpoints of the Qualys Web App Scanning Connector Plugin. The issue has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and privilege requirements (NVD).

The vulnerability allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, potentially leading to the capture of credentials stored in Jenkins (Jenkins Advisory).

The vulnerability has been fixed in Qualys Web App Scanning Connector Plugin version 2.0.11, which implements proper permission checks for the affected HTTP endpoints. Users are advised to upgrade to this version to mitigate the security risk (Jenkins Advisory).